Adding a role for an LDAP user
An LDAP user role must also exist in tandem within OpsCenter. Add a parallel role in OpsCenter that mirrors the permissions of one of the user's LDAP roles.
When an LDAP user has been assigned LDAP roles, exactly one of those roles must also exist in OpsCenter, otherwise the user cannot log in to OpsCenter. Add a parallel role in OpsCenter that mirrors the name of one of the LDAP roles assigned to a user. An LDAP user can belong to multiple LDAP roles; however, only one OpsCenter role can be named in the list of roles returned by the group search. OpsCenter grants the matching role to the user.
group_search_type
property indicates which method is used to
determine LDAP group membership:
- If using
directory_search
, thegroup_search_filter_with_dn
must return a list of LDAP roles that matches exactly one of the OpsCenter roles. - If using
memberof_search
, the list of LDAP roles from the user'smemberof
attribute must match exactly one of the OpsCenter roles.
When LDAP is enabled, only role editing is supported in OpsCenter role-based security. Creating or editing users is disabled when LDAP is enabled because the users originate from the LDAP and are managed therein. When creating or editing user roles, OpsCenter LDAP supports non-ASCII character sets for the role name. Since LDAP supports non-ASCII character sets for users, OpsCenter also supports non-ASCII character sets for users logging in to OpsCenter.
Prerequisites
admin_group_name
configuration option, log in with a user that has that role so that you can add any
needed roles.